1
Blockchain Behind the Hype What is
Really Motivating It?
Session 240, February 14, 2019, 11:30 AM -12:30 PM
Mitchell Parker, Executive Director Infosec & Compliance, Indiana University Health
2
Mitchell Parker, MBA, CISSP
Has no real or apparent conflicts of interest to report.
Conflict of Interest
3
Discuss Learning Objectives
The Hype
The Reality
What Problems are we Trying to Solve/Not Solve?
Why do we Fail?
What can we do About it?
Cybersecurity Changes/Defense Against the Dark Arts
Management Processes
Putting it all Together
Summary/Conclusion
Agenda
4
Describe the fundamental technologies behind private
Blockchains and how they apply in a collaborative environment
Recognize how customization of Electronic Medical Record and
enterprise resource planning systems have led to an inability to
share data with peers and easily reconcile data
Analyze current business processes and systems for opportunities
to apply collaborative technologies
Develop governance techniques to implement private Blockchain
technologies effectively using current organizational structures to
monitor and maintain the relevant business processes
Employ collaborative and distributed technologies such as
Blockchain to demonstrate organizational improvement
Learning Objectives
5
To explain the problems that Blockchain and Distributed Ledger
Technologies presume to solve, and how organizations can better
prepare themselves not only for collaboration, but to enable new
technologies such as Blockchain/DLT
Purpose of Presentation
6
This is a technology that has been touted to fix any number of
issues, and provides a number of improvements over existing
technologies.
However, there have been a lot of promises that have not been
met
The promise of this technology has drawn people from all over the
spectrum to look toward it to facilitate solving critical business
problems
The Business wants to be involved and participate in this
innovation and this brings forth many new ideas.
The Hype
7
Organizations need to make major changes to be able to
accommodate new technologies
Blockchain is just the latest of many new tech innovations
They have not been good at adopting new technologies and
providing effective management or governance
Cloud
Electronic Medical Records
Connected Medical Devices
Telemedicine
Smartphones
The Reality
8
Organizations will need to make fundamental changes to their
security programs to accommodate this technology
Shadow IT is now IT
The role of the CISO transforms from being an IT role to that
of a business enabler
They will need to provide guardrails for people to help empower
them no longer do the work for them
Collaboration and innovation is the new way, not the Data Center
or the IT Gurus
We have an opportunity to help guide innovation, but need to
provide a solid foundation to do so
The Reality
9
Frustration with the current state in EMR, ERP, and legacy
systems
Especially recordkeeping and audit logs
IT vs. Shadow IT vs. Innovation
Silos do not build the organizational cooperation we need
It shouldn’t take Millennials to point this out but it does
Consensus
Fundamental tenet of Blockchain is consensus and
cooperation
Auditability
Collaboration Across Non-Trusting Entities
Interoperability/Data Interchange
What Problems Are We Trying To
Solve? Why are we Here?
10
We have built these complex environments which have been
customized over the years
Especially with Electronic Medical Records and Enterprise
Resource Planning Systems
We have focused on fitting software to processes, instead of
using the software the way it was meant to be used
We have data locked up and isolated that reduces its usefulness
We have processes built around customization that are not
efficient and have caused inadvertent silos
We have also increased fragility of systems and inherent risk by
continuing to run complex systems we cannot upgrade because
they will break the business if we do
What are the major reasons that cause
customer frustration?
11
Distributed Verification and Validation Across Multiple Systems of
Record
Especially Clearinghouses!
Distributed Accounting/Ledger Recording
Distributed and Ephemeral Auditing
A need to standardize
Supply Chain
Identity Management
Credential Verification
Patient Empowerment/Incentivization
What Problems are we Trying to Solve?
12
Cybersecurity
Existing systems
Poor fits of the technology to the proposed solutions
Governance
Leadership and Management
What doesn’t it solve?
13
LEADERSHIP
Everything is a Nail using technology to fix issues that require
deeper analysis
Not Following Up
Legacy Systems
Legacy Business Processes, Policies, and Procedures
Undocumented Data
Why do Initiatives to Fix These
Problems Fail?
14
Cybersecurity Issues
Low Risk Appetite
Budget
Culture of No not a Culture of Innovation
Our Business Partners
Why Do We Fail?
15
We need to prepare the organization to evolve its risk tolerance
Not increase it, mature it to accommodate innovation and
change
Internalize Risk Management
Risk management processes and assessments, not
technologies
Risk Management Plans to address identified risks
Address business needs with an eye toward technology
being used to augment processes and improve the
organization
Identified stakeholders that are held accountable
Continual Following Up
What Can We Do About It?
16
Security is no longer about the perimeter anymore
It’s about Zero Trust and protecting each individual system
Organizations need to evolve to meet the needs of the Cloud
It also involves deepening knowledge and defenses of several key
technologies
Cybersecurity Changes
17
In addition to traditional security technologies, we need to add
some new ones to our toolsets
Blockchain (not the underlying tech) systems are especially
vulnerable to network hijacks, identity fraud, vulnerabilities, and
insider threats
Anti-virus on a machine behind a firewall is no longer sufficient
New techniques and tools for toolsets to deploy these systems
and manage the risks
Defense Against the Dark Arts
18
Border Gateway Protocol (BGP) Routing
BGP Hijacking is a now-common attack used to reroute
traffic to rogue servers
BGP uses Autonomous System Numbers (ASNs) to
broadcast networks that a given site can route
Hijacking involves ASNs routing networks that they should
not, and routing traffic to rogue networks
Used against https://www.myetherwallet.com
Also used by Russia and China to attack sites
Since many sites do not monitor BGP, this is highly effective
BGP Secure (BGPSec) has barely been used because it
would shut out large portions of the Internet
What Security Technologies do we
need to be proficient in ?
19
Domain Name Services (DNS) and DNS Secure (DNSSec)
The “phonebook” of the Internet
Used to associate Domain Names with IP addresses
Also used to associate Domains and IP addresses with services
offered or resources
Email Security (SPF, DMARC, MX Records)
Directory Services (Active Directory)
Authentication Services (Kerberos, LDAP/S)
Can even be used for exfiltration of data
Also can be hijacked to impersonate sites and reroute traffic
DNS Hijacking has been used to successfully do so
DNS Secure has seen little adoption needs to change!
Security Technologies
20
Public Key Infrastructure (PKI)
The process by which digital identities based on strong
cryptography and an identity proofing process are issued by
organizations
DEAs ePrescribe for Controlled Substances Rules (21CFR Parts
1300, 1304, 1306, and 1311) require an enrollment process based
on the NIST Special Publication 800-63 Series
SP 800-63-3 Digital Identity Guidelines
SP 800-63A Enrollment and Identity Proofing
SP 800-63B Authentication and Lifecycle Management
SP 800-63C Federation and Assertions
Organizations need to focus on having a robust enrollment and
federation process to be able to issue and validate digital
identities for Blockchain
Security Technologies
21
The processes by which a person, machine, or entity has
entitlements to resources granted or removed based on defined
requirements and/or job roles
Requires BGP to get a network path to the resources
Requires DNS to provide a lookup to them
Requires PKI and associated Federation technologies to assure
that the processes used to establish identity and associate them
with a provable digital identity
Also requires DNS to look up and provide a path to the root
certificates needed to verify and validate digital identities
Requires well-defined roles, requirements, and entitlement
definitions especially for dynamic cloud machines!
Provides the “who did what” for logging, auditing, Blockchain, and
other distributed technologies
Identity and Access Management
(IAM/IDM)
22
Due to the reliance on the core technologies of BGP, DNS, PKI,
and IDM/IAM, organizations need to monitor each of them for
anomalies
They also need to monitor all of the systems on your network
Having a System Incident and Event Management (SIEM) system
is a requirement for being able to monitor all of these core
technologies
Monitoring and Logging
23
With the volume of data that modern cloud-based systems can
generate, organizations need to look toward cloud-based SIEM
systems to be able to store and process the amounts of data
required to find anomalies
Newer threat hunting systems use AI or Machine Learning to sift
through the vast amounts of data to find anomalies and potential
issues
Required to scale Blockchain/DLT systems to handle high
volumes
Older technologies will miss data and patterns needed to
detect them
Monitoring and Logging
24
Many of the successful hacks on cryptocurrency exchanges used
existing vulnerabilities
Equifax, amongst others, was breached because of unpatched
servers
It took 2 weeks from Microsoft Patch Release for WannaCry to
appear and it is still pestering the Internet
Berkeley Internet Name Daemon, the #1 DNS server in the
market, has numerous vulnerabilities that come out monthly
So do Linux and Windows
Networking products, amongst others, also require constant care
and feeding
Organizations need to continually manage infrastructure
No more Set and Forget asking to be owned!
Vulnerability Management
25
Under the HIPAA Security Rule, organizations are required to
know where data resides and the data flows
Organizations immortalizing data by using immutable (for the time
being) cryptography need to have a provable path to show that
this is valid data
They also need to be able to demonstrate forward and backward
flows of data between Blockchain based systems and existing
transactional ones
They need to have assigned resources who actively develop and
manage a program based on identified risks and needs
Do not try and automate this with tools. They will not
understand the context of the data and will fail
Data Governance
26
Management processes also need to evolve
Organizations cannot expect to bring technologies in and expect
to have them automatically bring organizational change
They need to manage the technology effectively to demonstrate
organizational benefits
Management Processes
27
Payment Card Industry Data Security Standards (PCI-DSS)
Compliance
PCI is more than just technical work
There is a lot of work in segmenting off transactional
processing from the rest of the network
There is also emphasis on compliance monitoring, continual
review, and additional security on transactional systems
Organizations will want to treat systems used in Blockchain
processing with the same degree of security
Management Areas To Cover
28
Review policies and procedures to make sure these additional
requirements are covered:
Cybersecurity
Continual Monitoring and Review
Additional Network Security
Identity Proofing and Enrollment
PKI
Identity and Access Management
PCI-DSS
Data Governance
Policies/Procedures
29
Contract language needs to cover the additional Cybersecurity
requirements
It also needs to cover strict Service Level Agreements to address
emerging cybersecurity issues
Get engineers on the phone that can resolve issues in 30
minutes
Vulnerability Management is now paramount
Issues need to be addressed in 7 days
Right to Audit organizations in a consortium need to be able to
audit each other’s systems used for processing data for
vulnerabilities and issues
Contract Language - Consortia
30
Dispute Resolution There needs to be governance processes
and requirements for this
Amendments of Records This is a permanent record, but there
needs to be a way to append amendments and changes, and a
way to find them that is done at the contract level
Processing Power Make sure no one single entity controls a
majority of the processing power or compute resources
Contract Language - Consortia
31
Organizations need a standard intake process that addresses the
following gatepoints:
Clinical or Line of Business Review
Architecture Review
Security Review
Data Governance Review
Especially for potential international storage of data!
Tracking of security documentation
Tracking of outstanding items to resolve
Organizational Governance and Intake
32
Understand what the standard work processes are
Document them and understand what people do
If organizations don’t understand themselves, their processes,
and their standard work, they will not be able to see if innovative
technologies are a fit in the right place
Standard Work Processes
33
Measurable Metrics and Monitoring
Quantify performance and be able to determine where there are
opportunities for improvement
Have goals to achieve and measurable ways to meet them
Tie them into overall organizational performance and risk
measures
If teams can’t measure them or tie to org goals, don’t do them
M3 - Measurements
34
“No IT Involvement” is no longer a fit
Incoming vendors need to go through the same intake process as
everyone else
They need strong contracts and Business Associate Agreements
that enforce service level agreements
They need to have plans for each incoming application or service
to make sure that there is someone accountable, and that there
are team members from security monitoring it
The Security Operations Center needs to monitor even if they do!
Vendor Monitoring/Management
35
Orgs need to have an effective change management process
Emphasize Failure Mode and Effects Analysis to address what
can potentially go wrong
Focus on having well-thought-out testing and communication
plans
Be able to roll back with as little impact as possible
Most important be able to address the impact of the changes
across the organization and be able to communicate them
Change Management
36
Don’t restrict innovation to one organization in the corporate
structure
Example Wal-Mart vs. K-Mart/Bluelight.com and the latter
not addressing Supply Chain issues in Michigan while
running their Internet operations in SF
Openly engage and solicit from others to get their views
The promise of having technologies like Blockchain has been
through inclusive participation and equality
Restricting innovation or trying to micromanage it is contrary
to that
Use the results from Risk Assessments and the drive to do more
with less as a means to encourage innovative ways to improve
Innovation
37
We’re going to take Risk, Cybersecurity, and Management and
use them to determine what projects to assess
Cut past the hype and get solutions that meet business and
customer needs
Putting it all Together!
38
Pick a process to improve (not multiple ones) that has a
combination of high risk and opportunity for improvement
One at a time avoids scope creep
Make sure it’s a real business need, not a nice to have
Use the Risk Assessment results and understanding of standard
work processes to make the determination
Don’t pick a low risk process
Don’t pick something that isn’t understood well
Don’t pick something that can’t be measured or define
success with!
Pick the Right Process
39
Leverage the internal innovators that want to solve problems
Solicit for the people that want to creatively solve issues
Build a solid business case including:
Risks addressed
Processes Improved
Organizational Benefit
How technology will be managed and secured
Most important, emphasize cross-organizational cooperation and
the implementation of the principles of consensus and
cooperation as part of the solution
IT is not going to be the primary solution provider, but part of a
team
Get Excellent Support
40
Set goals of increasing engagement and improvement
Make sure the team members are all similarly committed
Teams need people who truly want to solve problems and improve
organizations
Consensys, as a company, has done excellent work in
promoting collaboration and finding team members who are
driven to solve problems
It is truly important to be inclusive and to look for people who want
to do the work and address issues, rather than people who want
to look good
Tech is hard work. Just because there are cool tools doesn’t
make it easy. Avoid the people looking for another tool.
Pick the Right Team Members
41
Success is not guaranteed
Project components will fail
There will be cost overruns
There will be security issues
Use Change Management and FMEA to plan for failure
Use Vulnerability Management as a process for prototyping
responses to issues
Always practice open communication, even when failure happens
Be Prepared to Fail
42
Share findings and learnings across the organization
Don’t innovate in a silo
Be that person that explains these items
Don’t be afraid to speak at conferences or publish
This actually helps build credibility
It also reduces hype and hyperbole
Share
43
This technology, like many others, has incredible potential benefit
However, it’s been significantly hyped
We need to defuse that hype by taking a practical risk-based
approach
We need to manage the new cybersecurity threats
Management needs to be innovative
We need to pick the right problems to solve with the right people
We need to be continual and be prepared to fail and recover
repeatedly
In Summary
44
Questions?
Thank you!
45
Please complete your online session evaluation!
Contact Info:
Mitchell Parker
Executive Director, Information Security and
Compliance
Indiana University Health
Email: Mitchell.parker@iuhealth.org
Twitter: @mitchparkerciso
LinkedIn: https://www.linkedin.com/in/mitch-p-
95a9a04/
Cell: 215 519 1053
Questions